Is Red Hat Working for the NSA?

Christine Hall

On Friday, Roy Schestowitz posted an article on Techrights which seems to accuse Red Hat of being in cahoots with the NSA. According to the article, the company has been building back doors into RHEL for the spy agency. However, the article appears to be long on accusations and short on proof.

I like both Techrights and Schestowitz. Both are controversial and that’s part of what I like about them. However, before making accusations it’s nice to have at least a few facts to back them up.

The article attempts to make the case for using CentOS over RHEL. Indeed, many of us who’re short on bucks and can’t afford Red Hat’s expensive support subscriptions are already using CentOS in server environments. We use it here at FOSS Force to serve web pages? Why? Because not only does CentOS have an extremely capable development team, the distro is in most ways a clone of Red Hat, which means the CentOS development team is able to leverage Red Hat’s research and development and incorporate it into their distro.

“We trust CentOS, whereas trusting Red Hat is hard. RHEL is binary and based on news from half a decade ago, the NSA is said to be involved in the building process, as well as SUSE’s, whereas CentOS is built from source (publicly visible). Microsoft and the NSA do the same thing with Windows and it’s now confirmed that Windows has NSA backdoors.”

[yop_poll id=”33″]

Have you ever compiled a distro from source? Me neither. However, as far as I can tell, the source code for all versions of RHEL is available on the Red Hat website. While it’s true that Red Hat isn’t as transparent as they once were with patches, this was brought about by Oracle’s attempts to steal their business. They’ve been very careful, however, to remain compliant with the terms of the GPL.

Note that Schestowitz says “the NSA is said to be involved in the building process…” Said by whom? No link or explanation is offered. It’s true that Red Hat offers a version of the SELinux kernel, which was developed in part by the NSA, but that doesn’t mean they’re colluding with the spy agency.

“RHEL and its derivatives continue to be deployed in many large networks of systems [13], so it’s clear why the NSA would drool over the possibility of back doors in RHEL. Watch out for that. Given the way NSA infiltrated standards bodies and other institutions, it’s not impossible that there are even moles at Red Hat or Fedora.”

Just as there could be moles within any business organization.

Is Red Hat secretly working with the NSA to build back doors into their products? I don’t think so. As far as I can tell, the company is the best of breed when it comes to big business and Linux. The company seems to be a very good open source citizen.

However, if they are up to dirty tricks, I want to know about it. But show me some facts. Don’t just make unfounded accusations.

Related

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

While it is still thin on “proof” in the way of a document outlining cooperation, the article from November does discuss what could perhaps be better described as a rumor of NSA involvenemt which comes by way of a /. commenter who was referencing SELinux specifically when they said, “I work for Red Hat. Not for the NSA. SELinux code does not go from me through the NSA, it actually goes the other way around. The NSA asks me to put code in the Linux kernel and I pass it to Linus. I have reviewed each and every line at one point or another. The NSA may have some magic backdoor somewhere in the Linux kernel, but I’ll stake my name that it isn’t in the SELinux code.”

I think this and the fact that while most other “cloud” companies are experiencing or fearing a squeeze based on recent revelation, RH is surging in revenue, largely on the heels of intelligence contracts. To add fuel to the fire, there have been several high profile exploits in RHEL products eg openssl and gnupg.

In fact, in writing this response, it makes me wonder if you even read the entire article because your only quote from it is from the most speculative and least reference-filled paragraph, almost as if it was intentional.

While I’m almost certain that Red hat isn’t collaborating with the NSA…it would be wise to take every “rumor” or “half-accusation” with a small grain of salt. After all….no one would think the U.S. Government would design or assist with the creation of backdoors into almost every company in the US…(and some outside of it as well!)…and then look what happened. So while I trust Red hat, I won’t be surprised if they end up being patsies!

If the source code is available, they would be complete idiots if they tried to code backdoors. The backdoors would be seen in plain view of the world… and I know that this would have been given huge press time by some individual trying to bury Red Hat. Be it Oracle, Microsoft… or anyone lazy enough or desperate enough about finding good articles to write about. …and this guy is totally lazy and totally desperate to come up with a “good” story that people will be interested in.

This article starts with an incorrect asseration that I accuse “Red Hat of being in cahoots with the NSA.”

No, NSA is a big client of Red Hat (this was not just revealed but also confirmed to me by Red Hat staff some days ago, by E-mail) and it was also confirmed that NSA submits patches to Linux through Red Hat (think of NIST and RSA; we don’t even have NSA E-mail address to keep track of). Back doors can also be added outside the scope of source code, during a build process. My job involves dealing with this risk. I don’t think you read an essential earlier post:

Defending Red Hat makes sense, but mischararctering my position is a little unfair. I note that trusting Red Hat is not easy and based on articles I read half a decade ago, NSA was involved in the build process of Windows, OS X, SUSE, and Red Hat (only those 4 were mentioned).

I am one of the CentOS developers. This guys comments are hard to believe. First, if there were issues in RHEL, those same issues would exist in CentOS. The only way they would not is if Red Hat also published source code with the back doors removed after they had been compiled in. I just do not see it happening. CentOS is happy for any and all users, but that article has zero credibility to me.

While reading I was formulating this response, but Johnny Hughes beat me to it: if there’s backdoors in the RedHat source they will be in CentOS. If there’s a backdoor in SELinux it would be in every kernel. (enabled or not is another issue). For very paranoid people: it is possible to write a piece of code that LOOKS LIKE it does one thing but actually DO something different, thus slipping through review process and ending up in the kernel, but this is highly unlikely. More plausible way of sneaking a backdoor into Linux Kernel for NSA is embedding it into binary-only firmware for some of the hardware loaded by Linux (bnx2 comes to mind). Or even better – embed it directly into EFI firmware during motherboard production.

i interviewed two se-linux developers last year about the issue of the nsa implanting backdoors in the code. their comments are in this article: http://bit.ly/1e0OYSO

every tech company – and not merely computer company – based in the us, is, unfortunately now under a cloud. boeing lost a big contract to a swedish firm recently and cisco has complained to federal government officials that it stands to lose sales abroad due to the spying scandal.

red hat should come out and issue a statement to douse these rumours. but i doubt that will happen as dealing with the media in an open manner is not its strong point.

Is RedHat in the NSA’s pocket? Probably but the points made in this artical are just stupid. You wan’t proof …

A. General Henry Hugh Shelton (Chairman of RedHat)
B. RedHat’s top paying customer is the NSA.

Everything about RedHat screams Military, if you don’t think there working with the NSA then you need to wakeup.

You can point to the fact that everything is open but I can point you to an Off By One bug that will ruin your day and you would never even realize it was an exploit unless you knew that particular code base that the bug resideds in like the back of your hand.

CentOS is just another remasted distro. RHEL isn’t very good eather. You would think for what it is most server related software would just work out of the box but most of it doesn’t.

@Dr. Roy Schestowitz The last thing I’d purposefully do is mischararcterize your position. I’ve been a big supporter of both your work and of Techrights going back to the Boycott Novell days. Most of the time, I find that your position is extremely close to my own.

“I don’t think you read an essential earlier post…”

Actually, I did. I read every link in the post in question and looked at most if not all links in those articles as well. Unless I’m missing something, I don’t find anything that would link Red Hat to cooperation with U.S. intelligence operations.

Indeed, from information from the Snowden leaks, it appears to be fact that Microsoft has engineered back doors in Windows and has cooperated with the feds on other matters as well, as would be expected from Microsoft–but that doesn’t implicate Red Hat. Nor does the mere fact that the U.S. defense department is a major Red Hat client–not without a lot of digging to find evidence of wrongdoing. Nor does the fact that CEO Jim Whitehurst came to Red Hat by way of Delta Airlines where he served as Chief Operating Officer.

As far as I can tell, none of what is mentioned in your post points to any evidence wrongdoing by Red Hat. And while Snowden has leaked much evidence of Redmond’s collaboration with the NSA, he has not yet released any documents implicating Red Hat, as far as I know.

Again, Techrights remains one of my favorite sites and I think that the work you do is extremely valuable to the free software community. However, I think this post casts blame where there is no evidence of wrongdoing.

I was thinking along the same lines — that Edward Snowden’s leaks (by the way, they’re not just his anymore, as anonymous people from the NSA reportedly leak more and more documents to be published under his name for their safety) can at some stage show encryption undermined at more levels (hardware level, or even kernel level). We already know that encryption was undermined at RSA and NIST by NSA moles, using bribes too. We also know that Linux (kernel) developers recently revised random number generators, after they had found a weakness.

Several state officials (in 6 state at the very least) now work to stop the NSA locally. Some call for a ban on companies that facilitate the NSA (that would include Red Hat), under the premise that they are complicit in crime. I am not kidding, watch the news this week (I don’t want to paste links here as the last time I did so my comment took half a day to appear).

Lastly, there are numerous E-mails sent from and to Red Hat. These further validated my suspicions.

I saw a lot of personal attacks (trying to discredit me or even remove links to my analyses). I even heard the usual personal attacks against Sam Varghese (which I expected from Red Hat because he dares to do real journalism, i.e. journalism that companies don’t like).

Trusting Red Hat should be based on its record, not emotional leanings and faith.

Don’t get me wrong. I was not offended by you and you oughn’t be offended by my response. I am used to this type of divisive treatment (people trying to ostracise me) since the days I criticised Novell — only to be proven right throughout and at the very end (Novell gave its patents to Linux foes).

I hope you will wait patiently for more information and assess the facts based on their merit. Don’t rely purely/solely on what you read in OpenSource.com (Red Hat). I saw Novell doing its self-delutional spiel (IP “peace of mind”) and fortuntely, at the end, Novell did not find enough fools to sell its lies to.

I have been frank in my analysis of Red Hat (on patents, build process, etc.) and if you want links for particular bits of my claims, just ask. I have a repository of tens of thousands of links I collect while researching. Sometimes people refuse to accept even a well-sourced claim because of cognitive disonance — something I’ve had a lot of experience with when dealing with Microsoft spinners.

“Journalism is printing what someone else does not want printed: everything else is public relations.”

The problem with making this out as a non-starter because RHEL/CentOS or any other Red Hat product is open source is that we know that’s not enough anymore. Ya’ll keep saying there is no evidence of direct involvement of Red Hat but there is evidence of indirect involvement and if you ignore indirect involvement after the Snowden leaks started you’re in exactly the same place as the folks who turned noses up at the idea of surveillance by NSA in general before June 2013.

We know NSA has approached Linus. We know NSA has clandestinely submitted code to open source projects through third parties, NSA docs confirm this as a tactic. NSA docs also confirm these submissions can be made to look like mistakes or other coding errors as opposed to backdoor code. If NSA has approached the topmost kernel developer don’t you think they have approached others? Might they not approach individuals they already have a close relationship?

I just don’t understand how you can say there is nothing that links Red Hat to US intelligence when Red Hat’s largest customer is US intelligence.

Even if they aren’t cooperating by way of code they are certainly cooperating by way of software support. The metadata program is one giant GNU+Linux Big Data project, the documents prove that. We know Red Hat has intelligence contracts. I’m guessing they’re not just installing printers, I’m guessing they’re doing what they do best which is provide Big Data support.

It’s not an issue of faith. So far, it’s all speculation. Connect the dots…

I apologize for the long wait time for approval. You posted in the wee hours of the morning local time. We had weather related issues on the premises this morning which caused us to notice you’re comment.

Does this issue, by extension involve Fedora as well? I do a lot of work with Fedora, RHEL and SUSE Linux Enterprise and CentOS now being a Red Hat project, I am no longer sure.

I agree that Novell essentially killed SUSE’s reputation (but in return got SUSE more visibility in the Enterprise space) – but since spinning off from Novell has it been better? I actually do like openSUSE/SLED/SLES and use openSUSE a lot. Pure Free Distros like Trisquel amd GNUSense just does not work with the “budget” hardware that I have.

It is _not_ purely speculative. If you think that it is, then you must not have paid close enough attention.

I have been spending at least 2 hours per day since 2012 reading about the NSA. I knew what Snowden showed even before it was publicly known and I spoke about it with RMS on numerous occasions (he came to the UK to meet Assange and then myself, focusing on mass surveillance).

The truth of the matter just needs a little digging because the corporate press is not helping the general public find it out, just like it knowingly ‘buried’ a captured agent in Iran for several years (this leaked out in November).

Similarly, GNU/Linux sites did a very poor job covering (if at all) what happened in recent months regarding Linux. Let me summarise some facts (without links, as I don’t want to be put in the moderation queue again):

– Torvalds’ father said that the NSA had approached his son regarding back doors.

– Linux had a back door added to it about a decade ago. It got removed quickly afterwards and it wasn’t known who had added it. There was press coverage about it, but it was scarce.

– RSA received a bribe from the NSA to promote security standards with back doors.

– NIST and others had NSA moles and bogus (corrupt) peer review process to help usher in security standards with back doors.

– NSA is a large Red Hat client.

– The NSA sends patches to Red Hat, which in turn sends those for Linus Torvalds to put in Linux.

(the above two are now confirmed to me by Red Hat staff)

– BSD does not trust hardware-level random number generators, suspecting — quite rightly given the NSA’s track record — that it has too low an entropy.

– Several top-level Linux developers found vulnerabilities in Linux random number generation. They quietly (without much press coverage anywhere) addressed the issue (raising the entropy) a few months back. Only the latest kernel release has the fixes applied AFAIK (I don’t know if Greg K-H backported any of it because coverage is too scarce). To lay out the magnitude of this issue, it compromises SSL, PGP, etc. (pretty much everything with encryption, even passwords) not just at client side (desktop, tablet, smartphone) but also the server side (i.e. the Internet). This is huge! But the media hasn’t covered it.

Suffice to say, Red Hat has not done anything to convince me I was wrong. Instead, I notice that Red Hat staff is stalking me in LinkedIn and I see my article cited in several news sites which wrote about the issue in several languages (3 articles in Google News are in Spanish).

If you found holes in the above statements or if you want links attached, please request them and I will provide citations. I wrote about everything before, even years ago (NSA involvement in SLE* and RHEL I covered around 2007 or 2008).

I am frustrated to see people turning against the messenger rather than the message. I see a lot of the same done to Sam Varghese. We are making ourselves more vulnerable by refusing to listen to what seems uncomfortable.